CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,799)

page 25 of 440

CVE	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2015-7877	Cri	0.64	9.8	0.01	Sep 11, 2017	Multiple SQL injection vulnerabilities in the User Dashboard module 7.x before 7.x-1.4 for Drupal allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2017-14252	Cri	0.64	9.8	0.00	Sep 11, 2017	SQL Injection exists in the EyesOfNetwork web interface (aka eonweb) 5.1-0 via the group_id cookie to side.php.
CVE-2017-14247	Cri	0.64	9.8	0.00	Sep 11, 2017	SQL Injection exists in the EyesOfNetwork web interface (aka eonweb) 5.1-0 via the user_id cookie to header.php, a related issue to CVE-2017-1000060.
CVE-2017-14242	Cri	0.64	9.8	0.00	Sep 11, 2017	SQL injection vulnerability in don/list.php in Dolibarr version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the statut parameter.
CVE-2017-14238	Cri	0.64	9.8	0.00	Sep 11, 2017	SQL injection vulnerability in admin/menus/edit.php in Dolibarr ERP/CRM version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the menuId parameter.
CVE-2017-12731	Cri	0.64	9.8	0.00	Sep 9, 2017	A SQL Injection issue was discovered in OPW Fuel Management Systems SiteSentinel Integra 100, SiteSentinel Integra 500, and SiteSentinel iSite ATG consoles with the following software versions: older than V175, V175-V189, V191-V195, and V16Q3.1. The application is vulnerable to injection of malicious SQL queries via the input from the client.
CVE-2017-11161	Cri	0.64	9.8	0.01	Sep 8, 2017	Multiple SQL injection vulnerabilities in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allow remote attackers to execute arbitrary SQL commands via the (1) article_id parameter to label.php; or (2) type parameter to synotheme.php.
CVE-2015-5052	Cri	0.64	9.8	0.00	Sep 7, 2017	SQL injection vulnerability in Sefrengo before 1.6.5 beta2.
CVE-2015-4627	Cri	0.64	9.8	0.00	Sep 7, 2017	SQL injection vulnerability in Pragyan CMS 3.0.
CVE-2017-14145	Cri	0.64	9.8	0.00	Sep 5, 2017	HelpDEZk 1.1.1 has SQL Injection in app\modules\admin\controllers\loginController.php via the admin/login/getWarningInfo/id/ PATH_INFO, related to the selectWarning function.
CVE-2017-14076	Cri	0.64	9.8	0.00	Aug 31, 2017	SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the id parameter to linksmanage.php in an editlink action.
CVE-2017-14069	Cri	0.64	9.8	0.00	Aug 31, 2017	SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the usernw array parameter to nowarn.php.
CVE-2015-7517	Cri	0.64	9.8	0.04	Aug 29, 2017	Multiple SQL injection vulnerabilities in the Double Opt-In for Download plugin before 2.0.9 for WordPress allow remote attackers to execute arbitrary SQL commands via the ver parameter to (1) class-doifd-download.php or (2) class-doifd-landing-page.php in public/includes/.
CVE-2017-10842	Cri	0.64	9.8	0.01	Aug 29, 2017	SQL injection vulnerability in the baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2017-13669	Cri	0.64	9.8	0.00	Aug 24, 2017	SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the setanswered parameter to staffbox.php.
CVE-2017-12679	Cri	0.64	9.8	0.00	Aug 24, 2017	SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the delcheater parameter to cheaterbox.php.
CVE-2017-13137	Cri	0.64	9.8	0.00	Aug 23, 2017	The FormCraft Basic plugin 1.0.5 for WordPress has SQL injection in the id parameter to form.php.
CVE-2017-12981	Cri	0.64	9.8	0.00	Aug 21, 2017	NexusPHP 1.5.beta5.20120707 has SQL Injection in forummanage.php via the sort parameter in an addforum action.
CVE-2017-12776	Cri	0.64	9.8	0.00	Aug 18, 2017	SQL injection vulnerability in reports.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the delreport parameter.
CVE-2017-12910	Cri	0.64	9.8	0.00	Aug 17, 2017	SQL injection vulnerability in massmail.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the or parameter.

CVE-2015-7877CriSep 11, 2017
risk 0.64cvss 9.8epss 0.01
Multiple SQL injection vulnerabilities in the User Dashboard module 7.x before 7.x-1.4 for Drupal allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2017-14252CriSep 11, 2017
risk 0.64cvss 9.8epss 0.00
SQL Injection exists in the EyesOfNetwork web interface (aka eonweb) 5.1-0 via the group_id cookie to side.php.
CVE-2017-14247CriSep 11, 2017
risk 0.64cvss 9.8epss 0.00
SQL Injection exists in the EyesOfNetwork web interface (aka eonweb) 5.1-0 via the user_id cookie to header.php, a related issue to CVE-2017-1000060.
CVE-2017-14242CriSep 11, 2017
risk 0.64cvss 9.8epss 0.00
SQL injection vulnerability in don/list.php in Dolibarr version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the statut parameter.
CVE-2017-14238CriSep 11, 2017
risk 0.64cvss 9.8epss 0.00
SQL injection vulnerability in admin/menus/edit.php in Dolibarr ERP/CRM version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the menuId parameter.
CVE-2017-12731CriSep 9, 2017
risk 0.64cvss 9.8epss 0.00
A SQL Injection issue was discovered in OPW Fuel Management Systems SiteSentinel Integra 100, SiteSentinel Integra 500, and SiteSentinel iSite ATG consoles with the following software versions: older than V175, V175-V189, V191-V195, and V16Q3.1. The application is vulnerable to injection of malicious SQL queries via the input from the client.
CVE-2017-11161CriSep 8, 2017
risk 0.64cvss 9.8epss 0.01
Multiple SQL injection vulnerabilities in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allow remote attackers to execute arbitrary SQL commands via the (1) article_id parameter to label.php; or (2) type parameter to synotheme.php.
CVE-2015-5052CriSep 7, 2017
risk 0.64cvss 9.8epss 0.00
SQL injection vulnerability in Sefrengo before 1.6.5 beta2.
CVE-2015-4627CriSep 7, 2017
risk 0.64cvss 9.8epss 0.00
SQL injection vulnerability in Pragyan CMS 3.0.
CVE-2017-14145CriSep 5, 2017
risk 0.64cvss 9.8epss 0.00
HelpDEZk 1.1.1 has SQL Injection in app\modules\admin\controllers\loginController.php via the admin/login/getWarningInfo/id/ PATH_INFO, related to the selectWarning function.
CVE-2017-14076CriAug 31, 2017
risk 0.64cvss 9.8epss 0.00
SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the id parameter to linksmanage.php in an editlink action.
CVE-2017-14069CriAug 31, 2017
risk 0.64cvss 9.8epss 0.00
SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the usernw array parameter to nowarn.php.
CVE-2015-7517CriAug 29, 2017
risk 0.64cvss 9.8epss 0.04
Multiple SQL injection vulnerabilities in the Double Opt-In for Download plugin before 2.0.9 for WordPress allow remote attackers to execute arbitrary SQL commands via the ver parameter to (1) class-doifd-download.php or (2) class-doifd-landing-page.php in public/includes/.
CVE-2017-10842CriAug 29, 2017
risk 0.64cvss 9.8epss 0.01
SQL injection vulnerability in the baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2017-13669CriAug 24, 2017
risk 0.64cvss 9.8epss 0.00
SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the setanswered parameter to staffbox.php.
CVE-2017-12679CriAug 24, 2017
risk 0.64cvss 9.8epss 0.00
SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the delcheater parameter to cheaterbox.php.
CVE-2017-13137CriAug 23, 2017
risk 0.64cvss 9.8epss 0.00
The FormCraft Basic plugin 1.0.5 for WordPress has SQL injection in the id parameter to form.php.
CVE-2017-12981CriAug 21, 2017
risk 0.64cvss 9.8epss 0.00
NexusPHP 1.5.beta5.20120707 has SQL Injection in forummanage.php via the sort parameter in an addforum action.
CVE-2017-12776CriAug 18, 2017
risk 0.64cvss 9.8epss 0.00
SQL injection vulnerability in reports.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the delreport parameter.
CVE-2017-12910CriAug 17, 2017
risk 0.64cvss 9.8epss 0.00
SQL injection vulnerability in massmail.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the or parameter.